Disaster Recovery: Test, Invest and Educate

All disaster recovery efforts, whether they are for natural disasters or security threats, must ultimately be tested for efficiency and reliability.

Amidst internal and external security threats, natural disasters, hacking attempts and technological changes, banks and service providers today are constantly faced with the possibilities of data loss, security breaches and breaks in business continuity. These institutions are being asked more frequently than ever what plans they have in place for speedy recovery should systems be compromised. Following a number of hard-hitting storms in the United States, including Hurricane Sandy and the devastation wrought on the Midwest following recent tornadoes, attention is focused on preparing for a recovery after natural disasters. Though preparing for natural impact is important, it becomes easy to forget there is just as much, if not more, potential for malicious manmade threats from a security and technology perspective.

All disaster recovery efforts, whether they are for natural disasters or security threats, must ultimately be tested for efficiency and reliability. While banks across the board conduct regular tests, the way in which these tests are conducted is crucial to determining a bank’s true ability to recover in the event of a disaster. In most instances, testing can be considered either static or dynamic. Most disaster recovery tests currently conducted are static in nature, meaning they are crafted to be sterile and built for success, to allow banks to ‘prove’ they have the ability and tools needed to succeed in the event of disruption. In these instances, banks and service providers are able to conduct tests and prove they have a perfect fail-over recovery system in place. The issue here is that these tests are rarely built to actually mimic any real disaster.

An alternative to static testing is dynamic testing. In this instance, banks implement tests that stress their systems, processes and procedures to provide a more accurate look at how disaster recovery systems in place may work in the event of true disruption. These tests are designed to push bank systems to their limits and are undoubtedly more difficult. The risk with dynamic tests is that by adding more variability, more uncertainty and more issues requiring resolution, the likelihood of institutions being able to complete the tests and prove complete fail-over is more complicated. The benefit is that because these tests are designed to evaluate systems and processes in the most real-world, worst-case scenarios, institutions learn a great deal about the true ability of their disaster recovery plans. As a result, they are able to make necessary adjustments to better prepare themselves for prospective disaster. Though peppered with potential for test failure, the benefits of dynamic testing strongly outweigh potential perception risk.

Another important aspect of a sound disaster recovery infrastructure is the ability to deal with and rapidly recover from denial of service attacks, which have quickly become one of the largest, most common threats to banks over the recent years. These attacks, often from overseas, can easily infiltrate thousands of computers and overwhelm entire networks and servers, rendering sites useless until service can be restored. Banks need multiple layers of protection to be best prepared for these seemingly random attacks. This starts with an institution’s ISP and includes hardware and software at all data centers, as protecting each piece is an imperative part of being prepared for these potential attacks. Particularly for smaller regional and community banks, finding a vendor solution provider that can provide the best technological capabilities and tools for intrusion detection and prevention is extremely important.

Finally, in addition to regular testing and security measures, continual education of IT personnel is also a key factor in ensuring banks and service providers are properly prepared. While testing aims to stress systems and processes in case of a disaster, investing in a knowledgeable IT staff can actually serve as a preventative measure. In both small and large banks alike, regular employee education and training is an important step in the disaster recovery process as many technological threats derive from virus-infected emails, links and other Trojan horses employees may encounter.

Modern advancements in technology have increased the general expectation that services provided by banks and service providers are invincible, secure and always available. These institutions are expected to find ways to keep the lights on even through the storm. With regular dynamic testing, investments in security technologies, and staff education, banks and service providers will be best prepared to face threats of manmade or natural disasters.